Sorry

Cryptography is no mean field. After all, the science was invented by humans for the purpose of concealing information from other humans. That means that the best cryptographers have to be blindingly smart, with a mastery of mathematics but also a firm grasp of human psychology and, these days, fields such as computer science.

Paul Kocher, president and chief scientist of Cryptography Research is a good example of the breed. A cryptography superstar, Kocher is credited with helping discover two different techniques for defeating certain kinds of encryption algorithms. He’s also a corporate executive who’s devoted his life to helping create cryptographic applications that can be used in the real world.

Kocher sat down to talk security with InfoWorld Senior Editor Paul F. Roberts at the recent RSA Security Conference in San Francisco. Despite making his name by poking holes in encryption, Kocher says that crypto hacks are the last thing enterprise IT should worry about. A much bigger problem is wrestling with the security implications of application and OS “supersizing” that is being fueled by a new generation of powerful processors.

InfoWorld: Tell us a bit about the history of Cryptography Research and how the security environment has changed since you first started the company.

: I started Cryptography Research 11 years ago. When I first started working on these problems, we were still at the point where you could understand how systems work. This was back in the DOS days. You had 640K of memory and could run one program at a time. These days, I have no clue what’s running on my laptop. And you probably have no idea, either. There’s too much software there. Moore’s Law has created obesity in systems, so when you’re trying to come up with ways to keep things secret despite this, it’s an enormous problem.

Paul Kocher

IW: Cryptography is often followed as a kind of arms race, with people who want to make stronger encryption pitted against those who want to break it. Is that the wrong discussion to have?

PK: There are a few pieces that are strong. The math behind modern algorithms is incredibly robust. That’s the thing most people focus on: “We have this brick and it’s really strong, so if we have a system that includes this brick, it will also be really strong.” But implementations are where the problems lie. People tend to get enamored with the cryptography and the algorithms and not pay attention to other things that end up failing.

IW: You talk about the “brittleness” in much of application security. If you were an enterprise shop with internally developed applications, what steps would you take to reduce that brittleness?

PK: One thing I’d do is just step back and have the engineers think about how they would attack the system. It’s a different mind set than how to build features. You start looking for that thread that lets you in, and you learn something useful. Also, try to build your application so that it doesn’t need sophisticated security capabilities. If you’ve got an application on the Web where it’s exposed to outside attacks, just leave the feature out that’s going to create the risks.

IW: What about mobile devices? Microsoft this week announced a new version of Windows Mobile. Are platform companies going to repeat the same mistakes they made on the desktop?

PK: I think Microsoft is certainly following the path it followed with the PC, though the security problems haven’t caught up yet because mobile devices aren’t worth hacking yet.

There’s an inflection point that people almost never recognize until they hit it. It’s the point at which a system becomes worth attacking. You hit the threshold when someone figures out that they could make more money attacking your system than by doing whatever it is they’re doing and after factoring in the risks. At that point, the dynamic changes completely.

As you take mobile devices and put more functions on them, someone will wake up and realize that they can make $15 million hacking them, as opposed to the $80,000 to do their current job. We just don’t know whether that will be this year or 10 years from now.